CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23315
https://notcve.org/view.php?id=CVE-2023-23315
The PrestaShop e-commerce platform module stripejs contains a Blind SQL injection vulnerability up to version 4.5.5. The method `stripejsValidationModuleFrontController::initContent()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection. • https://friends-of-presta.github.io/security-advisories/modules/2023/03/01/stripejs.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29188 – Smokescreen SSRF via deny list bypass (square brackets) in Smokescreen
https://notcve.org/view.php?id=CVE-2022-29188
Smokescreen is an HTTP proxy. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by surrounding the hostname with square brackets (e.g. `[example.com]`). • https://github.com/stripe/smokescreen/commit/dea7b3c89df000f4072ff9866d61d78e30df6a36 https://github.com/stripe/smokescreen/security/advisories/GHSA-qwrf-gfpj-qvj6 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24825 – Smokescreen SSRF via deny list bypass
https://notcve.org/view.php?id=CVE-2022-24825
Smokescreen is a simple HTTP proxy that fogs over naughty URLs. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by appending a dot to the end of user-supplied URLs, or by providing input in a different letter case. Recommended to upgrade Smokescreen to version 0.0.3 or later. • https://github.com/stripe/smokescreen https://github.com/stripe/smokescreen/security/advisories/GHSA-gcj7-j438-hjj2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24753 – Code injection in Stripe CLI on windows
https://notcve.org/view.php?id=CVE-2022-24753
Stripe CLI is a command-line tool for the Stripe eCommerce platform. A vulnerability in Stripe CLI exists on Windows when certain commands are run in a directory where an attacker has planted files. The commands are `stripe login`, `stripe config -e`, `stripe community`, and `stripe open`. MacOS and Linux are unaffected. An attacker who successfully exploits the vulnerability can run arbitrary code in the context of the current user. • https://github.com/stripe/stripe-cli/commit/be38da5c0191adb77f661f769ffff2fbc7ddf6cd https://github.com/stripe/stripe-cli/security/advisories/GHSA-4cx6-fj7j-pjx9 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21420 – Vulnerability in Stripe for Visual Studio Code < 1.7.3
https://notcve.org/view.php?id=CVE-2021-21420
vscode-stripe is an extension for Visual Studio Code. A vulnerability in Stripe for Visual Studio Code extension exists when it loads an untrusted source-code repository containing malicious settings. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. The update addresses the vulnerability by modifying the way the extension validates its settings. vscode-stripe es una extensión para Visual Studio Code. Se presenta una vulnerabilidad en la extensión Stripe para Visual Studio Code cuando carga un repositorio de código fuente que no sea de confianza y que contiene configuraciones maliciosas. • https://github.com/stripe/vscode-stripe/security/advisories/GHSA-j6x4-4622-8vv3 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •